2017-02-18

Snooper's Charter and LINX

Update: (at the top to be clear)...

As expected...

LINX have confirmed that the governance discussions are totally unrelated to IPA and intercept on the basis that such laws apply regardless, and gagging orders apply. The good news is LINX have been taking legal advice to understand how they would handle such orders, and if they can provide warrant canaries (which they feel they cannot).

Original article:

As reported in the register, and LINX reply, there is concern over some of the changes to the way LINX is governed - a matter to be voted on this week at the LINX96 meeting.

For those of you that do not know, LINX is a major UK peering point - it is a network infrastructure mostly in London (the "L" in LINX) that connects lots of Internet providers together and is used by everyone that accesses the Internet in the UK a lot.

This is a serious matter - what do all of the secret / gagged orders in the Investigatory Powers Act mean for a membership organisation like LINX? Could it mean secret orders that a handful of people know if implemented in order to spy on member's traffic? Every member is a part of LINX!

Well, what I am told is that is not the idea, but I am concerned that the changes could inadvertently allow such orders. We need to be sure of some transparency, at least, before approving them.

However, what it has hi-lighted is that we need some frank and open debate within LINX on the whole issue of the IP Act and the possibility of secret orders to snoop on LINX traffic. The same needs to happen at LONAP too.

So, personally, I am not yet up to speed on the changes proposed, and if they allow "secret" orders or not, but this is my overall view, so far. I expect to blog again once we have had some discussions during the week and the vote is over. It is serious stuff - my own staff are already asking if we should stay LINX members or leave, just based on The Register article, and we are not alone in asking this.

So what needs to be addressed:

We need to consider what LINX may be asked to do. This means lawyers and maybe even talking to The Home Office (maybe someone has?!). And we need to debate and agree in advance the way this needs to be handled with members.

We need to consider the level of transparency of any such orders, with members, and outside LINX. What if LINX M&A mean the directors have to discuss any orders with members? Is that good or bad? Does it make The Home Office re-think orders? What do they have to consider in asking for intercepts and data retention (collection)?

To what extent will LINX management challenge orders. Clause 87(4) tries to stop any retention order forcing a provider to monitor "third party data". But for LINX, anything over and above Ethernet MAC addresses is "third party data", so needs to be challenged via the appeal process and even the courts if necessary. I am sure LINX would get support from ORG and/or EFF on taking any such a matter to CJEU or the ECHR (whilst we still can).

What exposure does LINX management and even LINX membership have? Can management share "gagged" orders with membership? They have to be able to share to some extent with the techies making it happen, so there is scope, but how much transparency is allowed, and what are the consequences? Some of it is NOT CRIMINAL in any way in that no "offence" is defined in law - it is simply a "duty" not to disclose, enforced by civil proceedings (telling LINX "stop sharing this information" after it is already been shared). But even if shared with members, are members exposed if they share with customers or the press, and is that exposure for LINX as a whole or just that member?

In all of this I am making the huge assumption that LINX members do not want snooping by anyone - very much against the spirit of the Internet. If I am wrong and actually LINX members do want government snooping, we will be leaving LINX and so will many others. But we need the debate to understand if we do all agree on this position in the first place.

But ultimately, do any of us (LINX members) want to be part of an organisation that would secretly snoop on its members? I would not. Let's hope that is not what this is about, and we can move on with M&A changes in one form or another, and then start some serious debate and discussion with members on what will and must happen if the IP Act ever does come to bite us...

The reality of today's UK interception regime is: someone in your organisation (you may not know who) is asked to "co-operate" with the authorities. They do what they're told to do. This is highly unlikely to ever reach management, board, or shareholders. The same happens at all your suppliers (transit, datacentre, BT for DSL backhaul, etc), so any "assurances" you may get from them are bunkum, they probably don't know themselves they've been tapped. This is even before GCHQ do any of their own work.

My organisation, that could not happen. I would know. We have a policy of anyone finding any kit plugged in to out network is to eBay it. Anyone working in such a way, legally or not, would be sacked on the spot and they know that. As for suppliers, another question.

If you were to leave Linx, is there a sufficiently robust alternative IXP such that there would be no loss in the quality of service that AAISP provide? There only appear to be another eight IXPs in the UK, of which three are owned by Linx. If you replaced them with a foreign based IXP, could that have any adverse effect on customers' connections?

So how do you feel now about remaining with Linx, RevK, following Tuesday's vote, which was less than encouraging? I know only what Duncan Campbell reported in The Register the next day - that most members couldn't be bothered to vote and of those that did 63% supported the change, albeit short of the 75% necessary to pass it through.

Did you get satisfactory answers from the Linx management to all the concerns you listed above? I mean other than bland assurances that the proposals were totally unrelated to IPA

Everything I write here is just my honest opinion and not a statement by my employer, etc, you get the idea. If you find any words or pictures menacing or offensive, or likely to impair your computer, or alarming or distressing, stop reading now and don't come back (and don't forget to block me on social media too). Nothing here is legal advice. Everything on this blog is without prejudice, just in case. Comments are moderated to weed out obvious spam, so do not appear instantly. You take responsibility for any comments you post. Always bookmark www.me.uk as I may change the URL blogger sees.

And please, if you don't like what I post, say so - comment - discuss...